React and Next.js Vulnerable to Critical (10.0) Remote Code Execution Vulnerability (CVE-2025-55182)
This report is distributed as TLP:CLEAR. Recipients may share this information without restriction. Information is subject to standard copyright rules.
Summary
On 3 December 2025, React disclosed the critical remote code execution (RCE) vulnerability CVE-2025-55182, also known as React2Shell, affecting multiple React Server Components (RCS) packages and the broader ecosystem of frameworks that rely on the React Flight protocol.
On 4 December 2025, Amazon Web Services (AWS) Security reported China-nexus threat actors are actively exploiting CVE-2025-55182 using automated scanning tools and proof-of-concept (PoC) exploit code1 – code that demonstrates and verifies how a vulnerability can be exploited.
Details
CVE-2025-55182 – Critical (10.0): A remote code execution (RCE) vulnerability affecting RCS packages. This vulnerability is an insecure deserialization flaw for decoding RCS Flight protocol requests. A remote, unauthenticated attacker can exploit this vulnerability by sending specially crafted HTTP requests to exposed React Server Function endpoints to achieve RCE.
GreyNoise and Defused honeypots also observed exploitation attempts.23 CyberAlberta Threat Intelligence is aware of scanning tools to identify vulnerable packages and multiple PoC exploits. Initially, the publicly available PoC exploits were assessed to be inert.4 However, working PoC exploits—such as the exploit affecting Node.js version 16.0.65—are emerging.
Affected Products
CVE-2025-55182 affects the following products:
- Versions 19.0, 19.1.0. 19.1.1 and 19.2.0 of:
- react-server-dom-webpack
- react-server-dom-parcel
- react-server-dom-turbopack
- Versions 15.x, 16.x, 14.3.0-canary.77 (and later canary releases) of Next.js
- Other frameworks that bundle the vulnerable packages include:
- React Router (RSC mode)
- Expo
- Vite RSC plugin
- Parcel RSC plugin
- RedwoodSDK
- Waku
Assessment
CyberAlberta Threat Intelligence assesses that active exploitation of CVE-2025-55182 is highly likely to continue and escalate as more threat actors adopt existing PoCs or develop new exploits.
Recommendations
To defend exploitation of the reported vulnerabilities, it is recommended to:
- Assess the codebase for any use of the vulnerable react-server-dom* packages.
- Patch React systems to the latest versions: 19.0.16, 19.1.27, 19.2.18
- Patch Next.js systems to the latest versions: 15.0.5, 15.1.9, 15.2.6, 15.3.6, 15.4.8, 15.5.7, 16.0.7
- Next.js have provided guidance on applying updates in their security advisory9:
- If Next.js cannot currently be upgraded, it is recommended to downgrade to the latest stable 14.x release using the command: npm install next@14
- Apply any available updates for other implicated frameworks:
- Vite RSC plugin
- Parcel RSC plugin
- React Router RSC preview
- Expo
- RedwoodSDK
- Waku
- Hunt for anomalous activity:
- Node spawning child processes for invoking payloads, e.g. cmd.exe or powershell.exe
- Node spawning child processes for downloading payloads, e.g. curl, or wget
- Node spawning child processes for enumeration, e.g. id, whoami, netstat, or uname
Indicators of Compromise (IOCs)
The following table of Indicators of Compromise (IOCs) comprises of observations from GreyNoise,10 and AWS Security.11
Description | Indicator |
|---|---|
IP Address | 206.237.3[.]150 |
45.77.33[.]136 | |
143.198.92[.]82 | |
183.6.80[.]214 | |
URL | http[:]//23.235.188[.]3:652/qMqSb |
HTTP POST request headers to vulnerable endpoints | next-action |
rsc-action-id | |
Anomalous elements in request bodies | $@ |
“status”:”resolved_model” |
Table 1. IOCs Characterizing Exploitation Attempts of React
Further Detail
- React disclosure: https://react.dev/blog/2025/12/03/critical-security-vulnerability-in-react-server-components
- Next,js blog: https://nextjs.org/blog/CVE-2025-66478
- Wiz Blog: https://www.wiz.io/blog/critical-vulnerability-in-react-cve-2025-55182
- Aikido Blog: https://www.aikido.dev/blog/react-nextjs-cve-2025-55182-rce
- AWS Alert: https://aws.amazon.com/security/security-bulletins/rss/aws-2025-030/
- Google Cloud Security & Identity Blog: https://cloud.google.com/blog/products/identity-security/responding-to-cve-2025-55182
References
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/
- https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far
- https://x.com/DefusedCyber/status/1996970968661594119
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/#:~:text=The%20GitHub%20security%20community%20has%20identified%20multiple%20PoCs%20that%20demonstrate%20fundamental%20misunderstandings%20of%20the%20vulnerability
- https://gist.github.com/maple3142/48bc9393f45e068cf8c90ab865c0f5f3
- https://github.com/facebook/react/releases/tag/v19.0.1
- https://github.com/facebook/react/releases/tag/v19.1.2
- https://github.com/facebook/react/releases/tag/v19.2.1
- https://nextjs.org/blog/CVE-2025-66478#required-action
- https://www.greynoise.io/blog/cve-2025-55182-react2shell-opportunistic-exploitation-in-the-wild-what-the-greynoise-observation-grid-is-seeing-so-far#:~:text=What%20we%20are%20observing%20in%20the%20initial%20POST%20request
- https://aws.amazon.com/blogs/security/china-nexus-cyber-threat-groups-rapidly-exploit-react2shell-vulnerability-cve-2025-55182/#:~:text=Indicators%20of%20compromise